The Travesty of Internal Security

Wednesday, April 24, 2002

If you follow the IT Security scene a little bit then you'e probably heard this statement:
"Most computer system security breaches are from employees"
There's countless recent references I can quote on this one. Try these for starters: Now, I've seen the statistics too. This article from Computerworld says that the CSI ( Computer Security Institute ) states that insiders accounted for 80% of security attacks on IT systems. Now, the people at the CSI are highly respected in the IT Security arena so the figure is probably quite true - but I've spent many years working as a systems and security administrator at a number of large and small companies, and these figures just don't reflect the environments that I've worked in.

Is there really a serious risk of attacks from employees and internal users?

Time for a metaphor.
Take a look around your office. Chances are there is nice carpet, walls, partitions, maybe plants and paintings and so on. Have you ever noticed that these things aren't protected against damage? Unless you're working in a prison, your walls aren't covered in steel cladding to protect them, nor is your furniture and carpet. But why are they not protected? Surely, they pose a security risk because anyone at any time could come along and punch a hole in your wall or smash up your desk with an axe. But this just doesn't happen. Why not? For a few reasons :
  • you trust the people working around you, and
  • if someone did cause damage, it would be easy to identify them and punish the perpetrator
Face it, it just doesn't happen very often.

But, if you follow what many IT security experts are saying, then you must harden your internal systems to protect against internal threats. So, what gives? Is there a real threat from the internal users of IT systems?
I'll try to explain here where these figures are coming from and why they're being thrown about so much.

Internal security events are easy to detect.
... and its easy to trace down the perpetrator. Just like tracking down the person who punched a hole in your office wall, tracking down someone that has "hacked" their way into your file server is just as easy. Simply tracking their IP address back to a workstation, looking at who was logged onto the network at the time, who has the technical knowledge to perform the feat will lead you to the perpetrator fairly quickly and painlessly. Collect up the evidence and hand it over to the HR manager and the issue is all over. Of course, attackers coming in from your Internet connection will be much harder to trace. Since its easier to detect internal security breaches, it follows that companies will report more of them.

Internal users are (in general) morons.
Most internal security problems are relatively minor, and in many cases they can be classed as accidental. Many are caused by users opening virus-ridden Email attachments ( technically, trojan horses ) and infecting many internal systems with the virus. There is also a high number of cases of inappropriate use : you know, sending pornographic images, chain letters, threats, and so on. Each such event will be classed as a security breach. They probably shouldn't be classed as such since they are really simply HR-department problems more than they are IT management problems.

Internet firewalls are commonly deployed and do their job.
Note that we're talking about actual security breaches as opposed to attempted breaches. If you've got a decent Internet firewall in place there will be many attempted attacks, but chance are there will be very few successful breaches : these devices are good at doing their jobs. Very few hackers will even try performing a full-on attack against a firewall because they know how hard it is to successfully breach the system. With a very low number of successful external breaches, the percentage of internal breaches increases.

Take a look at who is quoting these figures.
You're connected to the Internet ( and who isn't ? ) you've got a firewall box, and a virus scanner, what more do you need? Well, there's a lot of security system vendors out there who want to expand their market - and one way they can do that is by selling security products for the internal enterprise systems. There are a lot of large corporations which have large networks inside their Internet firewall which hold an awful lot of valuable information. In other words, if security product vendors can create a demand to sell products into this environment, then they can expand their markets enormously.

So, should you take your internal security seriously?
In short, yes. Although, security of internal systems isn't the disaster area often portrayed in the press and by vendors. Probably the biggest threat to internal systems is from disgruntled employees who are intent on causing damage : there is little you can do to properly protect your systems in this case but a little reasonable effort goes a long way.
Accurate figures are hard to come by. The a recent survey of UK companies ( Information Security Breaches Survey 2002 ), it was reported that 34% of businesses report that their worst security incident was caused by an insider, whereas 60% were caused by external sources. But bear in mind that this could include non-malicious acts such as a user opening an Email and releasing a powerful virus on the internal network ( this happens frequently ). Other security surveys contain similar figures :
  • The CSI Cybercrime survey of 2001 estimated 25% of cybercrime perpetrators were internal ( employees )
  • The 2001 CSI/FBI Computer Crime and Security survey cites internal internal attacks at 31% of total attacks.
So, the risk of internal attacks isn't huge, but it is still significant. IT managers do need to evaluate these risks and put controls in place to mitigate the threat to internal systems.
The following is a list of what reasonable steps should be taken in secure internal systems :
  • Educate users about the proper use of IT systems and security-sensitive applications such as Email. This will reduce the threat of internal viruses and worms as well as reducing the cases of inappropriate use of systems.
  • Make sure all servers have restricted access with administrator accounts secured by strong passwords.
  • Access to gateway systems ( routers, firewalls, etc ) should be very tightly controlled with access granted to only one or two trustworthy people.
  • Remote access to internal systems ( dial-up, Internet-VPN, etc ) must be strictly controlled.
  • Servers and network equipment should be kept in a locked room.
  • If an employee is to be dismissed ( or made redundant ) and there is a risk that that person will retaliate, then revoke all of the employee's access to systems as soon as notice is given, if not before.
  • Make an effort to keep software patches up to date. This can be a hard job and very time-consuming, but it is a job which needs to be done.
Finally, and most importantly, have an IT security policy. It doesn't have to be long, or complex. It should be straightforward and easy for anyone to read and understand. The IT security policy is an important means to communicate the importance of IT security throughout an organisation.